sysadm_selinux(8)

1sysadm_selinux(8)     sysadm SELinux Policy documentation    sysadm_selinux(8)
2
3
4

NAME

6       sysadm_u - General system administration role - Security Enhanced Linux
7       Policy
8
9

DESCRIPTION

11       sysadm_u is an SELinux User defined  in  the  SELinux  policy.  SELinux
12       users  have  default  roles,  sysadm_r.  The default role has a default
13       type, sysadm_t, associated with it.
14
15       The SELinux user will usually login to a system  with  a  context  that
16       looks like:
17
18       sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023
19
20       Linux  users  are  automatically  assigned  an  SELinux users at login.
21       Login programs use the SELinux User to assign initial  context  to  the
22       user's shell.
23
24       SELinux policy uses the context to control the user's access.
25
26       By  default  all  users  are  assigned  to  the  SELinux  user  via the
27       __default__ flag
28
29       On Targeted policy systems the __default__  user  is  assigned  to  the
30       unconfined_u SELinux user.
31
32       You can list all Linux User to SELinux user mapping using:
33
34       semanage login -l
35
36       If  you  wanted  to change the default user mapping to use the sysadm_u
37       user, you would execute:
38
39       semanage login -m -s sysadm_u __default__
40
41
42

USER DESCRIPTION

44       The SELinux user sysadm_u is an admin user.  It  means  that  a  mapped
45       Linux user to this SELinux user is intended for administrative actions.
46       Usually this is assigned to a root Linux user.
47
48

SUDO

50       The SELinux user sysadm can execute sudo.
51
52       You can set up sudo to allow sysadm to transition to an  administrative
53       domain:
54
55       Add one or more of the following record to sudoers using visudo.
56
57
58       USERNAME ALL=(ALL) ROLE=staff_r TYPE=staff_t COMMAND
59       sudo will run COMMAND as sysadm_u:staff_r:staff_t:LEVEL
60
61       You  might  also  need  to  add  one or more of these new roles to your
62       SELinux user record.
63
64       List the SELinux roles your SELinux user can reach by executing:
65
66       $ semanage user -l |grep selinux_name
67
68       Modify the roles list and add sysadm_r to this list.
69
70       $ semanage user -m -R 'sysadm_r staff_r user_r' sysadm_u
71
72       For more details you can see semanage man page.
73
74
75       USERNAME ALL=(ALL) ROLE=user_r TYPE=user_t COMMAND
76       sudo will run COMMAND as sysadm_u:user_r:user_t:LEVEL
77
78       You might also need to add one or more  of  these  new  roles  to  your
79       SELinux user record.
80
81       List the SELinux roles your SELinux user can reach by executing:
82
83       $ semanage user -l |grep selinux_name
84
85       Modify the roles list and add sysadm_r to this list.
86
87       $ semanage user -m -R 'sysadm_r staff_r user_r' sysadm_u
88
89       For more details you can see semanage man page.
90
91
92       The SELinux type sysadm_t is not allowed to execute sudo.
93
94

X WINDOWS LOGIN

96       The SELinux user sysadm_u is not able to X Windows login.
97
98

NETWORK

100       The SELinux user sysadm_u is able to listen on the following tcp ports.
101
102              all ports with out defined types
103
104              2600-2604,2606
105
106              11111
107
108              9090
109
110              9875
111
112              5679
113
114              3632
115
116              3874
117
118              1701
119
120              2083
121
122              6767,6769,6780-6799
123
124              6081,6082
125
126              11211
127
128              5060,5061
129
130              4713
131
132              3205
133
134              1863
135
136              1521,2483,2484
137
138              1358
139
140              1050
141
142              9050
143
144              49000
145
146              4330
147
148              5347
149
150              9191
151
152              3052
153
154              10026
155
156              8140
157
158              1128,1129
159
160              2273
161
162              5323
163
164              4743
165
166              9225
167
168              3551
169
170              2947
171
172              3528,3529
173
174              1228
175
176              9292
177
178              5298
179
180              4500
181
182              5222,5223
183
184              2000,3905
185
186              5190-5193
187
188              1186,3306,63132-63164
189
190              3310
191
192              12888,12889
193
194              3129
195
196              1234
197
198              8021
199
200              9125
201
202              10080-10083
203
204              10024
205
206              8000,9433,16001
207
208              5335
209
210              2049,20048-20049
211
212              3636
213
214              4949
215
216              10025
217
218              8787
219
220              5445,5455
221
222              20048
223
224              5269
225
226              2040
227
228              5671,5672
229
230              6600
231
232              4712,4447,7600,9123,9990,9999,18001
233
234              25151
235
236              5000,5001,4331
237
238              1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291
239
240              5050
241
242              2501
243
244              7890
245
246              10180,10701,10443-10446
247
248              16851
249
250              5858
251
252              2703
253
254              1178
255
256              8765
257
258              1720
259
260              16509,16514
261
262              9911
263
264              all ports > 500 and < 1024
265
266              49152-49216
267
268              7100
269
270              8002
271
272              5404,5405
273
274              2628
275
276              6363
277
278              8081
279
280              1755
281
282              31416
283
284              11371
285
286              8099
287
288              4444
289
290              1314
291
292              5988
293
294              6000-6150
295
296              5900-5999
297
298              1721,7000
299
300              1194
301
302              1213
303
304              9010
305
306              9418
307
308              27017-27019,28017-28019
309
310              5703
311
312              3493
313
314              4190
315
316              8891,8893
317
318              7390
319
320              1229
321
322              5989
323
324              6379
325
326              3261
327
328              5149,40040,50006-50008
329
330              4379
331
332              2005
333
334              3000,3001
335
336              6969,9001,9030,9051
337
338              24007-24027,38465-38469
339
340              13180,13701,13443-13446
341
342              8084
343
344              8036
345
346              9618
347
348              3128,8080,8118,8123,10001-10010
349
350              4690
351
352              7888,7889
353
354              5432
355
356              3401,4827
357
358              9080
359
360              11180,11701,11443-11446
361
362              3260
363
364              9103
365
366              7634
367
368              6667
369
370              3690
371
372              10031
373
374              51235
375
376              1433,1434
377
378              7410
379
380              2401
381
382              10050
383
384              1241
385
386              60000
387
388              5252
389
390              9696
391
392              10051
393
394              2126,3198
395
396
397       The SELinux user sysadm_u is able  to  connect  to  the  following  tcp
398       ports.
399
400              389,636,3268
401
402              53
403
404              all ports
405
406              all ports with out defined types
407
408              all ports < 1024
409
410              5432
411
412              9080
413
414              88,750
415
416              111
417
418
419       The SELinux user sysadm_u is able to listen on the following udp ports.
420
421              all ports with out defined types
422
423              123
424
425              all ports > 500 and < 1024
426
427
428       The  SELinux  user  sysadm_u  is  able  to connect to the following tcp
429       ports.
430
431              389,636,3268
432
433              53
434
435              all ports
436
437              all ports with out defined types
438
439              all ports < 1024
440
441              5432
442
443              9080
444
445              88,750
446
447              111
448
449

BOOLEANS

451       SELinux policy is customizable based on least access required.   sysadm
452       policy is extremely flexible and has several booleans that allow you to
453       manipulate the policy and run sysadm with the tightest access possible.
454
455
456
457       If you want to allow direct login to the console device.  Required  for
458       System  390,  you must turn on the allow_console_login boolean. Enabled
459       by default.
460
461       setsebool -P allow_console_login 1
462
463
464
465       If you want to allow all domains to use other domains file descriptors,
466       you must turn on the allow_domain_fd_use boolean. Enabled by default.
467
468       setsebool -P allow_domain_fd_use 1
469
470
471
472       If  you  want to allow unconfined executables to map a memory region as
473       both executable and writable, this  is  dangerous  and  the  executable
474       should  be  reported  in  bugzilla), you must turn on the allow_execmem
475       boolean. Enabled by default.
476
477       setsebool -P allow_execmem 1
478
479
480
481       If you want to allow unconfined executables to make  their  stack  exe‐
482       cutable.   This  should  never, ever be necessary. Probably indicates a
483       badly coded executable, but could indicate an attack.  This  executable
484       should  be  reported in bugzilla), you must turn on the allow_execstack
485       boolean. Enabled by default.
486
487       setsebool -P allow_execstack 1
488
489
490
491       If you want to allow confined applications to run  with  kerberos,  you
492       must turn on the allow_kerberos boolean. Enabled by default.
493
494       setsebool -P allow_kerberos 1
495
496
497
498       If  you want to allow sysadm to debug or ptrace all processes, you must
499       turn on the allow_ptrace boolean. Disabled by default.
500
501       setsebool -P allow_ptrace 1
502
503
504
505       If you want to allow users to connect to mysql, you must  turn  on  the
506       allow_user_mysql_connect boolean. Disabled by default.
507
508       setsebool -P allow_user_mysql_connect 1
509
510
511
512       If  you  want to allow users to connect to PostgreSQL, you must turn on
513       the allow_user_postgresql_connect boolean. Disabled by default.
514
515       setsebool -P allow_user_postgresql_connect 1
516
517
518
519       If you want to allow system to run with  NIS,  you  must  turn  on  the
520       allow_ypbind boolean. Disabled by default.
521
522       setsebool -P allow_ypbind 1
523
524
525
526       If  you  want to allow all domains to have the kernel load modules, you
527       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
528       default.
529
530       setsebool -P domain_kernel_load_modules 1
531
532
533
534       If you want to allow all domains to execute in fips_mode, you must turn
535       on the fips_mode boolean. Enabled by default.
536
537       setsebool -P fips_mode 1
538
539
540
541       If you want to determine whether calling user domains can  execute  Git
542       daemon  in  the  git_session_t  domain,  you  must turn on the git_ses‐
543       sion_users boolean. Disabled by default.
544
545       setsebool -P git_session_users 1
546
547
548
549       If you want to enable reading of urandom for all domains, you must turn
550       on the global_ssp boolean. Disabled by default.
551
552       setsebool -P global_ssp 1
553
554
555
556       If you want to enable support for upstart as the init program, you must
557       turn on the init_upstart boolean. Enabled by default.
558
559       setsebool -P init_upstart 1
560
561
562
563       If you want to allow confined applications to use nscd  shared  memory,
564       you must turn on the nscd_use_shm boolean. Enabled by default.
565
566       setsebool -P nscd_use_shm 1
567
568
569
570       If  you  want  to enabling secure mode disallows programs, such as new‐
571       role, from transitioning to administrative user domains, you must  turn
572       on the secure_mode boolean. Disabled by default.
573
574       setsebool -P secure_mode 1
575
576
577
578       If  you  want  to  disable  transitions to insmod, you must turn on the
579       secure_mode_insmod boolean. Disabled by default.
580
581       setsebool -P secure_mode_insmod 1
582
583
584
585       If you want to boolean to determine whether the system permits  loading
586       policy,  setting enforcing mode, and changing boolean values.  Set this
587       to true and you have to reboot to set it back, you  must  turn  on  the
588       secure_mode_policyload boolean. Disabled by default.
589
590       setsebool -P secure_mode_policyload 1
591
592
593
594       If  you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on
595       the ssh_sysadm_login boolean. Disabled by default.
596
597       setsebool -P ssh_sysadm_login 1
598
599
600
601       If you want to support NFS home  directories,  you  must  turn  on  the
602       use_nfs_home_dirs boolean. Disabled by default.
603
604       setsebool -P use_nfs_home_dirs 1
605
606
607
608       If  you  want  to  support SAMBA home directories, you must turn on the
609       use_samba_home_dirs boolean. Disabled by default.
610
611       setsebool -P use_samba_home_dirs 1
612
613
614
615       If you want to allow regular users direct mouse access, you  must  turn
616       on the user_direct_mouse boolean. Disabled by default.
617
618       setsebool -P user_direct_mouse 1
619
620
621
622       If  you want to allow user to r/w files on filesystems that do not have
623       extended  attributes  (FAT,  CDROM,  FLOPPY),  you  must  turn  on  the
624       user_rw_noexattrfile boolean. Disabled by default.
625
626       setsebool -P user_rw_noexattrfile 1
627
628
629
630       If you want to allow users to run TCP servers (bind to ports and accept
631       connection from the same domain  and  outside  users)   disabling  this
632       forces  FTP  passive mode and may change other protocols, you must turn
633       on the user_tcp_server boolean. Disabled by default.
634
635       setsebool -P user_tcp_server 1
636
637
638
639       If you want to allow w to  display  everyone,  you  must  turn  on  the
640       user_ttyfile_stat boolean. Disabled by default.
641
642       setsebool -P user_ttyfile_stat 1
643
644
645
646       If  you  want  to  allow  xdm  logins  as  sysadm, you must turn on the
647       xdm_sysadm_login boolean. Disabled by default.
648
649       setsebool -P xdm_sysadm_login 1
650
651
652

HOME_EXEC

654       The SELinux user sysadm_u is able execute home content files.
655
656

TRANSITIONS

658       Three things can happen when sysadm_t attempts to execute a program.
659
660       1. SELinux Policy can deny sysadm_t from executing the program.
661
662
663
664       2. SELinux Policy can allow sysadm_t to execute the program in the cur‐
665       rent user type.
666
667              Execute  the  following  to  see the types that the SELinux user
668              sysadm_t can execute without transitioning:
669
670              sesearch -A -s sysadm_t -c file -p execute_no_trans
671
672
673
674       3. SELinux can allow sysadm_t to execute the program and transition  to
675       a new type.
676
677              Execute  the  following  to  see the types that the SELinux user
678              sysadm_t can execute and transition:
679
680              $ sesearch -A -s sysadm_t -c process -p transition
681
682
683

MANAGED FILES

685       The SELinux process type sysadm_t can manage  files  labeled  with  the
686       following file types.  The paths listed are the default paths for these
687       file types.  Note the processes UID still need to have DAC permissions.
688
689       auditd_etc_t
690
691            /etc/audit(/.*)?
692
693       auditd_log_t
694
695            /var/log/audit(/.*)?
696            /var/log/audit.log.*
697
698       boolean_type
699
700
701       cifs_t
702
703
704       etc_runtime_t
705
706            /[^/]+
707            /etc/mtab.*
708            /etc/blkid(/.*)?
709            /etc/nologin.*
710            /etc/zipl.conf.*
711            /etc/smartd.conf.*
712            /etc/.fstab.hal..+
713            /etc/sysconfig/ip6?tables.save
714            /halt
715            /etc/motd
716            /fastboot
717            /poweroff
718            /etc/issue
719            /etc/cmtab
720            /forcefsck
721            /.autofsck
722            /.suspended
723            /fsckoptions
724            /etc/HOSTNAME
725            /.autorelabel
726            /etc/securetty
727            /etc/nohotplug
728            /etc/issue.net
729            /etc/killpower
730            /etc/ioctl.save
731            /etc/reader.conf
732            /etc/fstab.REVOKE
733            /etc/mtab.fuselock
734            /etc/network/ifstate
735            /etc/sysconfig/hwconf
736            /etc/ptal/ptal-printd-like
737            /etc/xorg.conf.d/00-system-setup-keyboard.conf
738
739       ethereal_home_t
740
741            /home/[^/]*/.ethereal(/.*)?
742            /home/staff/.ethereal(/.*)?
743
744       git_user_content_t
745
746            /home/[^/]*/public_git(/.*)?
747            /home/[^/]*/.gitconfig
748            /home/staff/public_git(/.*)?
749            /home/staff/.gitconfig
750
751       non_security_file_type
752
753
754       noxattrfs
755
756            all files on file systems which do not support extended attributes
757
758       sandbox_file_t
759
760
761       sandbox_tmpfs_type
762
763            all sandbox content in tmpfs file systems
764
765       screen_home_t
766
767            /root/.screen(/.*)?
768            /home/[^/]*/.screen(/.*)?
769            /home/[^/]*/.screenrc
770            /home/staff/.screen(/.*)?
771            /home/staff/.screenrc
772
773       screen_var_run_t
774
775            /var/run/screen(/.*)?
776
777       sysctl_type
778
779
780       usbfs_t
781
782
783       user_home_t
784
785            /home/[^/]*/.+
786            /home/staff/.+
787
788       user_home_type
789
790            all user home files
791
792       user_tmp_t
793
794            /tmp/gconfd-.*
795            /tmp/gconfd-staff
796
797       user_tmpfs_t
798
799            /dev/shm/mono.*
800            /dev/shm/pulse-shm.*
801
802

COMMANDS

804       semanage fcontext can also be used to manipulate default  file  context
805       mappings.
806
807       semanage  permissive  can  also  be used to manipulate whether or not a
808       process type is permissive.
809
810       semanage module can also be used to enable/disable/install/remove  pol‐
811       icy modules.
812
813       semanage boolean can also be used to manipulate the booleans
814
815
816       system-config-selinux is a GUI tool available to customize SELinux pol‐
817       icy settings.
818
819

AUTHOR

821       This manual page was auto-generated using sepolicy manpage .
822
823